Key design elements for data protection
These
elements should be shaped by the rights of users, and robust supervisory and
enforcement mechanisms
The
age of Big Data, the growing pervasiveness of Aadhaar, and the government’s
exhortations to “go cashless” have led to a re-emergence of interest in privacy
and data protection in India. Although the operation of many laws such as the
Information Technology Act, Aadhaar Act, Right to Information Act, and various
other delegated legislation have an impact on the privacy of individuals, there
is no comprehensive law or policy on privacy or data protection in India. The
privacy bill of 2014 has been lying in cold storage, with no timelines having
been indicated by the government for its reconsideration or enactment.
With
a view towards a future where this glaring gap in our legal regime is filled,
we suggest five key elements that should drive the design of a privacy law
(when it is actually enacted), or laws that have an impact on privacy. These
include the manner of collection and retention, use and processing, and sharing
of data. In turn, these elements should be shaped by the rights of users, and
robust supervisory and enforcement mechanisms.
First,
when entities collect data, the law should require them to specify the purpose of data collection. Users should be
provided with an opt-out clause, so that they can withdraw their consent for
the data collection. Notably, the Lok Sabha rejected the amendment to the
Aadhaar Act that sought to introduce an opt-out clause, allowing the biometric
and demographic information of the Aadhaar-number holder to be deleted, leaving
citizens with the unsettling feeling of having surrendered their biometrics in
perpetuity. On retention, the laws should specify the manner and form of
preserving data, the time limits for such retention, and whether they recognize
the “right to be forgotten”.
The
second element focuses on the use and
processing of data. Data is constantly being collected, both actively (for
example, when we give our information to register for an app) and passively
(for example, through GPS tracking of our movements on Google Maps, etc.). Big
Data technologies have made it easy to extrapolate personal information about
individuals. A recent study found that an individual’s Facebook “likes” reveal,
with a reasonable accuracy, their ethnicity, religious and political leanings,
sexual orientation, and personality traits. This has meant that collection
limitation (how much information we reveal about ourselves) is not enough. The
law needs to focus on use limitation (how data controllers can use the
information collected about their users), putting the ultimate onus on the
entities that collect and control data. This also involves devising rules of
proportionality and the narrow tailoring of exceptions that will govern the
balancing of competing interests. Further, India can learn from European Union
(EU) initiatives on data protection “by design” and “by default”, which focus
on improving default privacy settings so as to reduce subsequent regulatory
intervention.
Third,
a privacy law or a law having an impact
on privacy must focus on the sharing and transfer of data. Currently, there
is no regulatory framework in place to control how data is shared by the data
controller with third parties, much less any consideration of the different
standards that govern the sharing of information with governmental and
non-governmental entities, both within India and abroad. Our laws need to be
able to deal with situations such as the Facebook-WhatsApp data-sharing policy
(for commercial benefits) or the Apple-Federal Bureau of Investigation
stand-off (for law enforcement).
Fourth,
the design of the law should recognize
the rights of users. Given that the constitutional status of the right to
privacy is in flux, with the question of whether such a right exists in our
constitutional framework having been referred by the Supreme Court to a
Constitution Bench, it is imperative for our laws to create such a statutory
right at the very least. We can take guidance from the EU framework by
recognizing the rights to data quality (ensuring accuracy of personal data by
allowing individuals access and correction rights); data integrity (ensuring
security of data); data-breach notification (requiring users to be informed of
any privacy-related breaches); and data portability (allowing users to transmit
their personal data across service providers).
The
fifth element is providing for supervision
and redress mechanisms in the law. The success of any law depends on
enforcement, which in the Indian context has traditionally been weak. Our
focus, for too long, has been on writing laws, without much attention to the
effectiveness of redressal mechanisms. This is best exemplified in the Aadhaar
Act, which only permits the UIDAI (Unique Identification Authority of India),
and not the Aadhaar number holder, to initiate criminal action. The
accompanying enrolment regulation envisages a grievance redressal “contact
centre”, although the actual process of redress and the binding nature of such
a mechanism is left unspecified.
It
is important that these new laws are broad enough to ensure their wide
applicability, and simultaneously flexible enough to adapt to technological
changes. They should also make clear whether they apply to both the state and
the private sector, and if so, whether different standards apply to them.
Drafting laws with these key principles in mind will only be the start of a
long and difficult road ahead, in terms of making India compliant with globally
accepted privacy and data-protection standards, but it is an important step
forward.
Source | Mint – The Wall Street Journal | 9 February 2017
Regards
Pralhad
Jadhav
Senior
Manager @ Library
Khaitan & Co
No comments:
Post a Comment